Commit ac850c9a authored by Jan Provaznik's avatar Jan Provaznik

Merge branch '212566-foss-design-management-policies' into 'master'

Move Design Management policies to FOSS

See merge request gitlab-org/gitlab!29995
parents 5d191707 632ee3a6
......@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
desc "Issue is confidential"
condition(:confidential, scope: :subject) { @subject.confidential? }
desc "Issue has moved"
condition(:moved) { @subject.moved? }
rule { confidential & ~can_read_confidential }.policy do
prevent(*create_read_update_admin_destroy(:issue))
prevent :read_issue_iid
......@@ -25,6 +28,15 @@ class IssuePolicy < IssuablePolicy
rule { locked }.policy do
prevent :reopen_issue
end
end
IssuePolicy.prepend_if_ee('::EE::IssuePolicy')
rule { ~can?(:read_issue) }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
rule { locked | moved }.policy do
prevent :create_design
prevent :destroy_design
end
end
......@@ -11,6 +11,7 @@ class ProjectPolicy < BasePolicy
milestone
snippet
wiki
design
note
pipeline
pipeline_schedule
......@@ -107,6 +108,11 @@ class ProjectPolicy < BasePolicy
)
end
with_scope :subject
condition(:design_management_disabled) do
!@subject.design_management_enabled?
end
# We aren't checking `:read_issue` or `:read_merge_request` in this case
# because it could be possible for a user to see an issuable-iid
# (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
......@@ -299,6 +305,8 @@ class ProjectPolicy < BasePolicy
enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation
enable :create_design
enable :destroy_design
end
rule { can?(:developer_access) & user_confirmed? }.policy do
......@@ -511,6 +519,17 @@ class ProjectPolicy < BasePolicy
rule { admin }.enable :change_repository_storage
rule { can?(:read_issue) }.policy do
enable :read_design
end
# Design abilities could also be prevented in the issue policy.
rule { design_management_disabled }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
private
def team_member?
......
# frozen_string_literal: true
module EE
module IssuePolicy
extend ActiveSupport::Concern
prepended do
condition(:moved) { @subject.moved? }
rule { ~can?(:read_issue) }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
rule { locked | moved }.policy do
prevent :create_design
prevent :destroy_design
end
end
end
end
......@@ -14,7 +14,6 @@ module EE
license_management
feature_flag
feature_flags_client
design
].freeze
prepended do
......@@ -112,11 +111,6 @@ module EE
!@subject.feature_available?(:feature_flags)
end
with_scope :subject
condition(:design_management_disabled) do
!@subject.design_management_enabled?
end
with_scope :subject
condition(:code_review_analytics_enabled) do
@subject.feature_available?(:code_review_analytics, @user)
......@@ -157,7 +151,6 @@ module EE
rule { can?(:read_issue) }.policy do
enable :read_issue_link
enable :read_design
end
rule { can?(:reporter_access) }.policy do
......@@ -182,8 +175,6 @@ module EE
enable :destroy_feature_flag
enable :admin_feature_flag
enable :admin_feature_flags_user_lists
enable :create_design
enable :destroy_design
end
rule { can?(:public_access) }.enable :read_package
......@@ -345,14 +336,6 @@ module EE
rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
# Design abilities could also be prevented in the issue policy.
# If the user cannot read the issue, then they cannot see the designs.
rule { design_management_disabled }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment